IE had a registry-based feature control, FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE, that was supposed to prevent certain WebOC navigation abuses. When PresentationHost.exe (the Silverlight host) was not listed in that key, a javascript: URL passed to Navigate2 could read cross-origin content.
wbControl.Navigate2(
'javascript:alert(location.href + "\n\n" + document.body.innerText)',
0, 'xdomIFrame'
);The PoC required that the Silverlight host process not be enrolled in the safety feature. In default installations this was the case. Adding PresentationHost.exe to the FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE registry key mitigated the issue, but the real fix was ensuring Navigate2 applied proper origin checks regardless of host process configuration.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.